216.73.216.86

Crossed wires: a case study of Iranian espionage and attribution

· Published 05/11/2025 19:04 · Modified 05/11/2025 22:10

Export JSON

Essential information

Published
05/11/2025 19:04
Modified
05/11/2025 22:10
Tags
2025-11-05 attribution challenges credential harvesting espionage iranian threat actor isl online minibike minijunk overlapping ttps pdqconnect phishing policy experts targeting rmm tools
Related entities
55 observables, 1 intrusion sets (apt), 16 techniques (mitre), 5 others

Description

This analysis examines a newly identified threat actor dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. The actor used domestic political lures related to Iran, benign conversation starters, health-themed infrastructure, and Remote Management & Monitoring tools. The investigation revealed overlapping tactics with several Iranian threat groups, including TA455, TA453, and TA450. While attribution remains uncertain, the targeting and techniques align with Iranian intelligence priorities. The analysis explores possible explanations for the convergence of tactics, such as shared resources, personnel mobility, or collaboration between Iranian agencies.

External references